tcpdump - prism headers

[axi <gustave.flaubert () gmail com>]

Hi to all,
this is  my first message to the list, first excuse because my english and
other mistakes.

I'm developing a decoder of 802.11 packets for Snort, and the first is to
watch how that is maded in other tools,
like Kismet, Ethereal/Tethereal, and tcpdump.
Now, I'm making probes with tcpdump, I use my 802.11 cards in monitor mode,
(RFMON), and I receive
all administration, control and data packets from all networks that transmit
in a card channel.
When I capture with Ethereal or Tethereal, all works fine. But when I try
with tcpdump I have some problems.
OK, let's go with the problem, I probe with a hostap, madwifi and acx100
drivers with acx100, atheros and prism 2.5 cards, but the result is the
same. When tcpdump receives a packet with prism headers recognized as above
:

" listening on ath0, link-type PRISM_HEADER (802.11 plus Prism header),
capture size 96 bytes"

always prints "[|802.11]", with data, control or administration packets. The
size of packet result from pcap capture seems to be 96 bytes, but when I
capture the same packet with Ethereal, is 240bytes, 96 bytes + 144 bytes of
Prism Headers. So, it seems that libpcap cut prism headers, and tcpdump
print always "[|802.11]" in condition below.

Line 1177 of print-802_11.c in prism_if_print function :

if (caplen < PRISM_HDR_LEN) { /* True  because caplen = 96 bytes, and
PRISM_HDR_LEN =144 bytes */
                printf("[|802.11]");
                return caplen;
        }

When I capture packets with Ethereal, and then replay with Tcpdump, all
works fine, but when i read from a interface libpcap removes PRISM headers,
anyone know why is this ? it's a bug, or I'm making a mistake?

Thanks to all,
Asier
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.